Add support for enabling SASL for SPICE guests

QEMU has support for SASL auth for SPICE guests, but libvirt
has no way to enable it. Following the example from VNC where
it is globally enabled via qemu.conf

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 32db9839dbdcfc5bf02b908efbd336c9698614d1..93a2a29aed7eb4a5811f05ca941dad6837bb0227 100644 (file)
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -38,6 +38,8 @@ module Libvirtd_qemu =
                  | bool_entry "spice_tls"
                  | str_entry  "spice_tls_x509_cert_dir"
                  | str_entry "spice_password"
+                 | bool_entry "spice_sasl"
+                 | str_entry "spice_sasl_dir"
 
    let nogfx_entry = bool_entry "nographics_allow_host_audio"
 

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index bf57b9cf45ab26fcb10c08cddf14c672fbc1aad6..e5ff33d5220638cd25e4ee02f98dce8f0c732787 100644 (file)
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -140,6 +140,22 @@
 #spice_password = "XYZ12345"
 
 
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index abb62e923678a750eaa20327967cb541c30e3000..814f368e06b22bf15f54d0012f82bdd6707dc4f4 100644 (file)
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7191,6 +7191,16 @@ qemuBuildGraphicsSPICECommandLine(virQEMUDriverConfigPtr cfg,
         virBufferAsprintf(&opt, "tls-port=%u", tlsPort);
     }
 
+    if (cfg->spiceSASL) {
+        virBufferAddLit(&opt, ",sasl");
+
+        if (cfg->spiceSASLdir)
+            virCommandAddEnvPair(cmd, "SASL_CONF_PATH",
+                                 cfg->spiceSASLdir);
+
+        /* TODO: Support ACLs later */
+    }
+
     switch (virDomainGraphicsListenGetType(graphics, 0)) {
     case VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_ADDRESS:
         listenAddr = virDomainGraphicsListenGetAddress(graphics, 0);

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 44a2296dd897689cf277c0f256b04bf686121f8d..8d7bee8296e99fe4c1a02a66f3332bdc5ac56ba9 100644 (file)
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -284,6 +284,7 @@ static void virQEMUDriverConfigDispose(void *obj)
     VIR_FREE(cfg->spiceTLSx509certdir);
     VIR_FREE(cfg->spiceListen);
     VIR_FREE(cfg->spicePassword);
+    VIR_FREE(cfg->spiceSASLdir);
 
     VIR_FREE(cfg->hugetlbfsMount);
     VIR_FREE(cfg->hugepagePath);
@@ -397,6 +398,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
 
     GET_VALUE_BOOL("spice_tls", cfg->spiceTLS);
     GET_VALUE_STR("spice_tls_x509_cert_dir", cfg->spiceTLSx509certdir);
+    GET_VALUE_BOOL("spice_sasl", cfg->spiceSASL);
+    GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir);
     GET_VALUE_STR("spice_listen", cfg->spiceListen);
     GET_VALUE_STR("spice_password", cfg->spicePassword);
 

diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index ea3c69111d7a8aed91c5bc104ff91262aeb516f6..d8304af93c35aaf5568fb3a8e889ebfc6af014d8 100644 (file)
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -111,6 +111,8 @@ struct _virQEMUDriverConfig {
 
     bool spiceTLS;
     char *spiceTLSx509certdir;
+    bool spiceSASL;
+    char *spiceSASLdir;
     char *spiceListen;
     char *spicePassword;
 

diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 7af3f64786f2f4d268c04e437bf054eac133a2d9..7417d124e3d8e32c24cfe6ecf07e88811a7296c5 100644 (file)
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -15,6 +15,8 @@ module Test_libvirtd_qemu =
 { "spice_tls" = "1" }
 { "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" }
 { "spice_password" = "XYZ12345" }
+{ "spice_sasl" = "1" }
+{ "spice_sasl_dir" = "/some/directory/sasl2" }
 { "nographics_allow_host_audio" = "1" }
 { "remote_display_port_min" = "5900" }
 { "remote_display_port_max" = "65535" }

diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args
new file mode 100644 (file)
index 0000000..8847bce
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args
@@ -0,0 +1,9 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test \
+SASL_CONF_PATH=/root/.sasl2 QEMU_AUDIO_DRV=spice \
+/usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults \
+-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \
+/dev/HostVG/QEMUGuest1 \
+-spice port=5903,tls-port=5904,sasl,addr=127.0.0.1,\
+x509-dir=/etc/pki/libvirt-spice,tls-channel=default \
+-vga qxl -global qxl.ram_size=67108864 -global \
+qxl.vram_size=18874368 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
new file mode 100644 (file)
index 0000000..eb630fa
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
@@ -0,0 +1,35 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219100</memory>
+  <currentMemory unit='KiB'>219100</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='spice' port='5903' tlsPort='5904' autoport='no' listen='127.0.0.1' defaultMode='secure'>
+      <listen type='address' address='127.0.0.1'/>
+    </graphics>
+    <video>
+      <model type='qxl' ram='65536' vram='18432' heads='1'/>
+    </video>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>

diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 060acf29bad95ed71a4a567eeef5cf17ebcfadeb..b14e71384b9c8934cfcf955a1d67ee9b3d390be3 100644 (file)
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -660,6 +660,14 @@ mymain(void)
             QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
             QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
             QEMU_CAPS_DEVICE_QXL);
+    driver.config->spiceSASL = 1;
+    ignore_value(VIR_STRDUP(driver.config->spiceSASLdir, "/root/.sasl2"));
+    DO_TEST("graphics-spice-sasl",
+            QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
+            QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
+            QEMU_CAPS_DEVICE_QXL);
+    VIR_FREE(driver.config->spiceSASLdir);
+    driver.config->spiceSASL = 0;
     DO_TEST("graphics-spice-agentmouse",
             QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
             QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,